Editorial

Public DNS providers: Do they actually improve your experience?

Services such as OpenDNS, and Google's Public DNS have recently attracted a lot of attention due to their claims to speed up web browsing simply by changing the DNS servers your computer uses to resolve domain names into IP addresses. The basic idea behind the services is that many ISP's do not invest heavily in their own DNS infrastructure, which can result in slow response times, particularly at busy times of day. By creating a network of servers specifically to serve high levels of DNS traffic, these companies hope to improve the experience for end users, but is this the reality?

Firstly, we should examine the fact that while your ISP will host its DNS resolvers within its network, to which your modem has a connection, 3rd-party services such as OpenDNS and Google's offering are not directly connected. This means your query has to travel further to reach the server which will perform the resolution on your behalf, and on the Internet, longer distance = longer response time. There may be some ISPs around the world where their internal network is so complex or badly designed that the round trip between your computer and the DNS resolvers at your ISP takes longer than a round trip to those provided by a 3rd-party, but companies these days are generally more competent, so this is unlikely.

So, how does the DNS response time affect actual browsing speed? The answer is very little. When you first visit a website, your computer will make a query to discover the IP address of the server hosting that site, and upon receiving the response, will store the IP address information in a local cache, meaning that future requests for that website will not generate a further DNS query. This data is held in the cache until an amount of time specified in the DNS reply has expired (called a time-to-live). So whilst using a faster DNS server may speed up your first load of a webpage, it will not affect the time it takes to load the next page on that website, so in real terms, the saving is minimal, in the order of a few milliseconds.

What then, are the pitfalls? With the growth of user-generated content, and the expansion of software-as-a-service, many companies are looking to CDNs (Content Delivery Networks) to deliver their content to the users. The principle of a CDN is that there are a number of widely distributed nodes located around the world, with identical copies of the content the site owner wishes to serve. When a user requests a specific piece of content, it is delivered by the CDN node that is closest to them. This results in far improved speeds, and thus better experience for the user, and can also help to reduce bandwidth bills for the site owners.

Where does DNS fit into this? DNS is the mechanism by which most CDNs will direct your request to the nearest node for content delivery. When you request content stored on a CDN, your browser must first resolve the IP address of the server hosting the content. To do this, it sends out a DNS query to the DNS servers configured on your computer, these then pass the query on to the nameservers that actually host the domain. The nameservers perform a check to see which of the CDN nodes is closest to the server making the request, and return the IP address corresponding to that server.

The issue here is that while your ISP's DNS servers are generally located near to you, or at least, would take a similar path across the Internet from your ISP's network, to the website's nameservers, 3rd-party DNS servers will not be. This can result in receiving the IP address of a CDN node which is not optimal for your location, but rather, optimal for the location of the 3rd-party DNS servers. While the query and response may have happened faster, you are now forced to load the content from a sub-optimal CDN node, which can affect your browsing experience far more. A DNS query is a matter of a few kilobytes, and transfers quickly, but content served via CDN nodes is often images or videos, which are much larger, and a slower connection here will be far more noticeable.

Many of these DNS providers have a good presence in the US, but OpenDNS's Network Map shows that it is lacking in servers outside of this region. This means that while a number of CDN owners operate nodes in Asia, users from that region who make use of the OpenDNS service would be directed instead to US based nodes, which they would access over the much slower pacific links.

OpenDNS offers a number of features on top of just performing DNS resolution, including content filtering and phishing protection, which may be useful to some, but if your primary reason for using a 3rd party DNS service is to speed up your web browsing, it may be worth giving it a second thought. Especially if you frequent websites which make heavy use of CDNs such as Facebook and Youtube.

Report a problem with article
Previous Story

Boxee Box release pushed to November

Next Story

Antitrust probe looms for Apple's iAd platform

98 Comments

View more comments

I don't like the conclusions drawn by this article. Ultimately, the speed of response of a user's DNS servers is almost a completely individual experience.

Some ISPs DNS servers are well designed and maintened. Their users don't see much benefit, speedwise, in switching to public DNS servers. On the other hand, there are ISPs whose DNS servers are abysmal. A case in point is O2. Until recently, their DNS servers would stop responding to requests for ten seconds or more at a time. This gave users the impression that their entire Internet connection had simply stopped working. In this case, switching to public DNS servers made a huge difference.

This article could really be written in two lines: "Do public DNS servers actually improve your experience? Only if they're faster than your ISPs."

But again, would you rather have an extra few milliseconds to wait (if your ISP DNS servers are slower) and be properly geolocated by most CDNs, or use a marginally quicker-resolving DNS server, only to be wrongly geolocated by some CDNs.

bmaher said,
But again, would you rather have an extra few milliseconds to wait (if your ISP DNS servers are slower) and be properly geolocated by most CDNs, or use a marginally quicker-resolving DNS server, only to be wrongly geolocated by some CDNs.

The benefits better performing DNS far outweigh the handful of CDNs who will be affected by this for a lot of people, especially those who know anything about the state of DNS security.

ascendant123 said,

The benefits better performing DNS far outweigh the handful of CDNs who will be affected by this for a lot of people, especially those who know anything about the state of DNS security.

DNS has its issues, that are being resolved partly by the introduction of DNSSEC, but until the point where all domains implement it, all DNS servers are going to be vulnerable to DNS cache poisoning attempts. Some will be better than others, and I see that OpenDNS uses source port randomisation, but then so do many other DNS implementations, such as Bind (the most popular DNS server software on the internet) since recent updates.

DaveLegg said,

DNS has its issues, that are being resolved partly by the introduction of DNSSEC, but until the point where all domains implement it, all DNS servers are going to be vulnerable to DNS cache poisoning attempts. Some will be better than others, and I see that OpenDNS uses source port randomisation, but then so do many other DNS implementations, such as Bind (the most popular DNS server software on the internet) since recent updates.

While source port randomisation has its benefits (when correctly combined with a cryptographically secure PRNG and a nonce) it is largely mitigated by PAT at the consumer level which makes it kind of a hollow offering. There are 20+ other security measures that are almost always missed such as TSIG/TKEY implementations, BIND ACLs, and slave server zone transfer security.

Fortunately DNSSEC is due to go live to root servers A to M next month which should give it some much needed publicity. It brings with it new records (RRSIG, DNSKEY, DS, NSEC) and digitally signs all communication with the server; many DNS servers implement this but it is relatively rare at the ISP level. While BIND9 thoroughly supports DNSSEC and TSIG unfortunately the vast majority of ISPs are running something around BIND8; one of the most insecure releases since 4.

If you are interested in more of the technical details of the security behind modern DNS hit me up. It's my job.

DaveLegg said,

I'm sure the rollout date was May 5th? I did an article a few weeks back debunking what people were saying about the rollout crippling the internet for many people: http://www.neowin.net/news/dns...5th---internet-will-live-on

Yep May 5 was the go live date for 13 of the boxes. There are a number of physical boxes behind these 13 addresses that weren't all switched on at once/serve clients with a much larger TTL (who therefore wouldn't be impacted for a period of time). There were also a number of standards within EDNS0 that were not immediately enabled to minimise impact by staging the release.

The 100% live time guarantee is July 1, 2010.

DNSSEC has actually been available on most of the 13 addresses since mid-2009. More info at: http://www.dnssec-deployment.org/ although the official deployment PDF is way out of date ('07).

Using a public DNS server CAN make borwsing faster. IT could make the time beweeen when you type in the page in the address bar and when it starts loading much faster.

With my isps dns server there is literally a 3 second pause before first loading the page since the browser is waiting for the dns server to resolve.

When I switched to open dns the resolving was much quicker and instantly started loading the page.

So yes there would be a speed boost since it would take LESS time to start actuallly loading the page.

The first time you load the page, yes, but after that it's cached. The main point of the article, that a lot of people seem to have totally missed, is that it can lead to directing to you to CDN that is not the optimal one for your location, causing content on the page such as images and videos to load slower.

The part I find interesting is that there is always a few loosers that will say DNS routing does not work, but never offer a solution to make it better.

i belive it can be a good idea to use them. say your trying to connect something and it don't work. by using say the opendns servers you could get that something to actualy connect.

So wait, Dave's writing editorials on his university notes or what? Don't really see the point in this article o_O it's kind of a long winded way of saying if the servers farther away the longer it will take for IP resolution, well no way I would've never guessed!!!! !!!

Maybe I'll write an article about Fibre Optic vs Ethernet >.>

It's nothing to do with University

It also seems you have missed the point of the article. My main point is the selection of sub-optimal CDN servers, which are becoming more and more popular as UGC grows on the web, the rest is there for the sake of completeness.

Your point makes sense when you look at CDN servers that use dns to route to the closest server, but in my experience most use BGP to do the routing. BGP allows servers in multiple locations to all share an IP address. In which case unless something is wrong on your ISPs routers you will get to the closest location. On the other hand if one of the servers or locations are down you should still get the content from another server that is up. Having DNS hand out multiple addresses based on the IP of the requesting DNS server is the wrong way to set up a CDN.

My ISP's DNS servers are well known for the slow response times and during peak hours, sometimes quit working all together. All of my friends and family who share the same ISP with me complain of the same problems, where the internet "quits working" So I've set their DNS servers to a third party and they haven't had trouble since. So yes, in the case of my ISP they do improve mine, and everyone's experience.

My ISP is kind of in the same boat. Excellent service, connection quality is rock solid and fast, but I swear they bought their DNS servers at WalMart. OpenDNS has been pretty good to me. If my ISP's servers were more reliable I'd stick with theirs, but since they go down more often than I would rather deal with, I'm staying with OpenDNS. In my case anyway, my overall "internet experience" has improved.

Plus you can occasionally use public DNS offerings to bypass captive portals at WiFi cafes and hotels etc depending on how they implement it.

My College tried to maintain their own DNS and it sucked a lot, thus my need for OpenDNS. But, now that I'm not there anymore, my local ISP has an excellent DNS and I don't need it anymore.

If they didn't improve anything, they wouldn't be as popular as they are. I know for a fact OpenDNS is faster than Roadrunners DNS. Sure Roadrunners DNS is fine at night time, but anytime during the day when its busy, its bogged down to the point its extremely annoying. I noticed a huge performance increase after I dumped the Roadrunner DNS.

I would never trust any DNS server run by Google. You can pretty much bet that they will record everything and keep it forever.

As far as speed I would agree with many that state the noticeable speed difference is very minimal. But, OpenDNS rocks for adding an additional layer of filtering that's FREE! Combine it with K9 web protect, No Script, Adblock Plus and Malwarebytes/Adaware/MSSE. That's a pretty decent way to try and keep as much of the crap/spy/rogue/ransomware and other traditional threats off your computer. It's NOT perfect and I'm not purporting such a configuration to be foolproof! Adding as many easily managed layers as possible can help you stay free of such dangers online and using common sense helps. That's what I like about Open DNS from an administrators point of view.

Commenting is disabled on this article.